How Check Point and Tufin could win at SDN

Software Defined Networking (SDN) is a game changer and will make most of you reading this blog expensive unemployable boat anchors. Better off learning Cobol. What is it? You can try and read all the blah blah Cisco articles, but they use big words that mean nothing and will leave you with more questions than answers. I took a 1 day Cisco ACI class put on by Dain Deutschman and World Wide Technology, and he did a great job boiling down the good, bad and ugly.

Basically ACI and SDN has this dream that a CIO will have a menu of items:

  1. New service offering for health care product
  2. Need a forest of web servers
  3. Need some backend databases
  4. Need some admin stations
  5. Need Internet access
  6. Need this to have access to SAP
  7. Need to comply with HIPAA

push a button and a Python script will spit it all out with no expensive IT whiners telling him/her what a cluster fudge it will be. Cisco ACI is the networking portion of the environment that replace the  expensive IT whiners that now have to touch every switch, router, etc to configure. ACI will put that router geek in the same unemployment line as a PHD Art Majors. It spins up routers, firewalls, switches, rulebases, etc. It can interact with VMWare, by spinning up a special virtual switch in the VM environment that links into the Cisco L2 environment.

So just like VMware, it will be easy to spin up systems and configure them. The cost of deployment will drop like a rock, just as it has in VMware.

And now for the dark side……..

Seeing I am an expensive whiner I’m here to say “Not happening any time soon – but brushing up my resume”. SDN is going to happen, is happening but its going to be a cluster fudge….and CheckPoint has a great shot of being a winner at the game.

Downsides:

  1. It will scale exponentially like VMware replacing physical servers
  2. Naming schemes will be all over the place because scripts will generate names
  3. Lifecycle manageability will be just like a rulebase, rules go in but never come out
  4. Debugging will be a nightmare. ACI depends upon tunnels in tunnels. Have you ever tried debugging GRE? Have fun with that.
  5. ACI specifically has way too many moving parts, when something goes wrong finding the culprit that was created by a script will be crazy
  6. Remember, not only are they integrating networking/servers, you are also spinning up rulebases and firewalls all with one script. Imaging dynamic rulebases. We can’t even debug the ones we have now!
  7. Licensing..if you think its bad now…..both technically and asset management will be really bad. You will be buying crap that you already paid for because you’ve been through 10 admins/purchasing people and the new ones have no clue what is going on.
  8. Right now ACI only uses IPs and ports. No NexGen. NexGen firewalls will bog the whole thing down and make debugging even worse.
  9. Cisco’s ACI management environment is…….a Cisco management environment……a toy. If and when ACI/SDN takes off the scalability will be huge because now scripts will do what it now takes expensive IT whiners. Because the cost of deployment will drop, CIOs will go crazy deploying new environments. So just like a firewall rule base, the environment will explode….and no one will clean up the mess as admins leave. Who would risk taking down an entire network environment that hasn’t been touched for 5 years and has no owner and weird naming schemes and random traffic flows?

So in the end technology on top of technology on top of technology on top of technology with the goal of replacing whining IT boat anchors….will create a new breed of super expensive whining IT boat anchors. These people will be even more critical to the org, because their skillset will control the whole environment, not just a router.

Here are some tips to keeping that paycheck  coming to pay for all your toys:

  1. Get VMware or Cisco ACI on your resume or take classes
  2. Learn Python, PHP, Pearl like the back of your hand (Software vs. Hardware Config via scripting)
  3. Learn SQL like the front of your hand
  4. Look for gigs at enterprise shops that are going to virtual data centers
  5. If you haven’t boned up on VLANs and routing better start now
  6. If you are a router geek, start learning current and Nex Gen firewalls

With that said, there is one more void in the marketplace…the management environment. So here comes the Check Point /Tufin rah-rah. On the off chance that R80 works, Check Point has been the only management environment that I’ve seen that has the potential to manage this crazy new wold. Check Point has always had a great mindset for ‘single pane of glass enterprise management’ that scales. I think Cisco should buy Check Point and Tufin and have them go crazy with R80 to include ACI. Right now R80+++ will be able to integrate with ACI at the fringes with a REST API, but that is child’s play. Go big, all in I say.

Oh yeah, make sure Cisco fires all the people that do licensing. Geez louise I hate licensing.

Aside: My VMware security geek friends say VMware is in similar boat. Their firewall is like IPchains, just sad and won’t scale. Not sure about management environment. CP could play here, but right now just doing REST API which is child’s play. Gotta get inside. I don’t know enough at this point to say more.

Off to CPX.

Peace out,

dreez

PS Special thanks to Cisco/Palo Alto super smart young good looking guy Jacob Durocher who spent hours with me trying to figure out what ACI is and what the future will look like.

IMG_20150303_084057

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Irek Romaniuk  On May 6, 2015 at 10:42 am

    Agree, CP has SDN Controller already in place. I learn Python, plus MEAN (Mongo non-sql, express and event-driven node.js) instead of legacy LAMP (PHP, SQL). And recently more Docker containers and OpenStack stuff than VMware

  • Irek Romaniuk  On May 6, 2015 at 10:43 am

    see you on CPX

  • Bob Mog  On May 6, 2015 at 7:51 pm

    OK so SDN is to create your own cloud for easy deployment of Infrastructure. If you’re going to do that why wouldn’t you just use someone elses cloud. I see more external cloud adoptions rather than large customer setting up their own complext SDN.

  • Irek Romaniuk  On May 8, 2015 at 6:59 am

    It is never about one fits all, there are companies who help to build private cloud

  • Ashish  On May 20, 2015 at 12:50 pm

    Some of the best network minds has their views on SDN :

    http://herdingpackets.net/2015/02/27/thoughts-on-building-tools-versus-programming/

    • Dreezman  On May 20, 2015 at 1:05 pm

      This is great blog, thanks. Not sure I agree but great discussion that must be had.

  • Dain  On August 22, 2015 at 7:05 pm

    Good post Dreez. Thanks for the mention! – Dain

    • Dreezman  On August 23, 2015 at 3:06 am

      You were a great instructor Dain. Even though I wasn’t a Cisco geek I understood what was going on and you explained all the important points perfectly. Thanks again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: